Reducing Spam In Your Inbox
Please read this article entirely, do not attempt to skim it. The critial points are at the end but you will not be able to use them unless you read the rest of the article, as they build on material introduced earlier.
“Why do I get all this SPAM”
This is a common question asked of all e-mail providers and ISPs by their users. Every email box on the Internet that is used for sending and receiving public email eventually starts getting spam. Over the years many experiments have been done by anti-spam advocates. To this date none of them have ever successfully created an email box on ANY service provider, sent out emails from it to “regular users” on the Internet, and then had it remain immune from getting spam back.
Spammers are experts at harvesting email addresses. They comb through published websites and subscribe to public mailing lists to harvest addresses. They attack mailservers with guessing algorithms. They run sophisticated virus networks that have viruses that if they infect ANY PC that has EVER received a message from you, they will get your email address. And finally they instigate large scale break-ins on major sites. For example, Ebay reported in May of 2014 that it’s entire userbase had been compromised – meaning
that every single person who has ever bought or sold anything on Ebay, their email address is now available to spammers, both for direct spamming and to send their virus-laden “phishing” emails to attempt to harvest more addresses.
Spammers have even resorted to scavenging names from government public records documents as Detailed Here
As a user you CANNOT control the security of OTHER PEOPLE’s computers that are used to read emails from you or that contain your email address. You can ONLY control your OWN computers’s security. If you send an email to anyone on the Internet, they can have that email saved for years and even decades in their archived email. If they ever get a spammer’s virus, your email address will become known to spammers.
Once one spammer gets your email address, your address will be sold to all spammers over time. This is why many people have observed that they can have an email address spam-free for a long time then suddenly start getting a lot of spam. Note also that if you have multiple aliases – that is, multiple email addresses that are forwarded to your actual e-mail address – that you will get more spam. For example if you have “firstname.lastname@example.org” and then add “email@example.com” as an alias, you will get more spam – sometimes twice as much – because the spammers think these 2 addresses go to different people.
“My friend on Brand-X ISP doesn’t get as much spam as I do”
Most of the time these statements are not apples-to-apples comparisons. Often “your friend” has an email address that is young, maybe it was just created a few months earlier (because his old one was drowning in spam). He also may not have used his address the same way as you do. Even in cases that are true apples-to-apples comparisons, the likelihood is that your friend is still getting as much spam as you are. The difference is that he and/or his ISP, is managing it differently than you do so that less of it appears in his inbox.
The rest of this article categorizes the tools available to you to help manage spam sent to you so that you will have as clean an inbox as possible.
Spam today comes from 2 types of senders; legitimate institutions or criminals.
Legitimate institutions spam (called soft-spam by Gmail) are comprised of opt-in mailing lists, legitimate companies (for example publicly traded companies) that send out newsletters, and online website stores that craftily hide “opt in” and “opt-out” check boxes in their purchasing shopping carts. Often these companies buy email address lists from spammers. Many times they will trumpet in their advertising that they only purchase email addresses that are the result of opt-in decisions by users or that meet various direct-mail industry guidelines. However, the truth is that anti-spam researchers have found that test email addresses that have been setup to test if these companies really are using opt-in guidelines, will still start getting spam when tested.
The primary difference between legitimate institutions that are spamming and criminals that are spamming is the legitimate business is licensed and registered under a state government (in the US) or international government, and pays taxes and has legitimate contact information. What this means is if you send a complaint to them, they will get it.
Criminal spamming, on the other hand, originates from people and organizations that do everything possible to hide who they are. They break into servers and hijack them to send spam, they use “throwaway” domain names, and they have various criminal goals, from identity theft, to theft of your data (to look for more victims email addresses to spam or to attempt to blackmail you) to hijacking your computer to use to attack others. There is no way to contact them, and only a computer forensic expert can trace them back to their origination point – and that almost always ends up a dead end, as the origination point is generally a public IP address in a coffee shop or library where the access is free. Many times it is an IP address located in a foreign county.
You must determine which kind of sender has sent a particular piece of spam, to determine the appropriate way to handle it. This can often be done simply by reading the Subject line of the message without opening it, and reading the the content of the messages your not sure of.
The easiest spam to block is criminal spam since there is only one method available to you to block it – email spam filtering. This is normally done by your email provider. Here at Portlandia we use SpamAssassin and ClamAV, for spam and virus filtering. They are not foolproof but they tag most of the criminal spam. If an email message in your inbox has SPAM in the subject line, it has been tagged. The reason we send these to you by default is because sometimes the filter guesses wrong and the message is not actually spam. That is known as a “False Positive” We encourage you to build up confidence in our filter by observing it’s operation for a few weeks before taking further action. Our experience is that in operation, criminal spam is usually identified by our filter.
Nowadays, legitimate Institution spam is what we get the most complaints about. It often comes as a surprise to customers that we don’t tag spam from legitimate institutions. This is because legitimate institutions have a lot to lose, so they follow the CAN-SPAM laws in the United States. Among other things the law requires spammers to have a legitimate email address they respond to. Which means if you email them a complaint they have to spend money paying someone to read it. If everyone who was spammed complained it would be costly to them. The US Congress felt that was enough of a check to prevent legitimate institutions from spamming – unfortunately it has proven to not be, however today the lobbyists for the direct mail industry are so powerful they have prevented any changes to the law. The law also requires spammers to immediately take your email address off their mailing list if you complain, as well as marking the mail Bulk. Unfortunately it does not prevent them from selling your email address to other spammers.
From a computer’s filtering perspective, spam from legitimate senders is almost indistinguishable from normal email so the filters tend to miss a lot of it. Also, the large spammers pay money to a company called Return Path that “whitelists” (guarantees delivery of) their spam to the larger email providers like Gmail, Yahoo, etc. Because of this, there is not a lot of spam that originates from legitimate senders that gets filtered at the ISP or email provider.
Once the incoming mail has passed through the main email providers spam filter and is being delivered to your mailbox, many email providers (like us) provide a mechanism for secondary mail filtering that runs on the mailserver. This is how you can remove the remaining criminal spam that passes the ISP spam filter, and remove the legitimate spam such as the newsletters and so on, from your inbox.
At Portlandia when we setup an email box we ask whether you are using POP3 or IMAP. POP3 accounts only have 1 possible option for secondary filtering. Identified spam can be automatically deleted. Otherwise all mail will go into your inbox. With POP3 accounts, all of the secondary filtering must be done on your email program. Many email programs have “Rules” wizards that can sort incoming mail to junk mail folders or other folders.
IMAP accounts, by contrast, have additional secondary filtering options. For starters, identified SPAM can be automatically put in a Junk Mail folder. This is similar to how many other services operate. IMAP accounts can also have filters that will look for keywords present in legitimate spam that does not get identified by our filter. Examples are “precedence bulk” and “unsubscribe” and “newsletter” However this can only be done for IMAP customers who have a Junk Mail folder. You must setup your IMAP account then create the Junk Mail folder from your email program before these filters can be setup.
Most spam, both criminal and legitimate, contain Unsubscribe links. Criminal Spam contains these links in order to make it appear to be legitimate, but the links do not work or they go to infected machines that attempt to download viruses to your computer. So in the past the recommendation has been to never click the Unsubscribe links in spam. But, as an increasing amount of spam today is of the legitimate variety, many times the Unsubscribe links actually do work. So, today the recommendation that we make is to identify the legitimate spam and unsubscribe from it by clicking the Unsubscribe link in the spams. ONLY do this if you are sure it’s from a legitimate sender!
There are two risks to clicking the unsubscribe links. The first is that if the spam is from a criminal then besides not working, it will most likely add more spam to your inbox. The second is that many times criminal spams contain unsubscribe links that take you to virus-infected websites. So, before trying to unsubscribe, you must have a current antivirus program that does URL scanning on your system. Avast is an example of one such program.
Blindly clicking the Unsubscribe links in every piece of spam will not work. And you should NEVER click an unsubscribe link in a mail message we have already identified as spam and tagged as spam in the Subject line. It is critical to learn how to tell the difference between legitimate spam and criminal spam that makes it past the filter.
Identifying criminal spam and legitimate spam
Before embarking on this it is important to understand that sometimes there is not one single deciding factor that will identify spam as criminal or legitimate. Most factors must be weighed against each other. Note that spams that have any of the criminal attributes are most likely criminal.
Indicators of criminal spam:
1) Your antivirus URL scanner indicates that a URL in the spam has been blocked as dangerous.
2) You have never seen the sender in the past. This is why it is most useful to check your Junk Mail folder for spams from this sender in the past before deciding it is from a legitimate sender. If it looks kind of like it’s legitimate then put it in your junk folder, as if it’s a legitimate spam your going to certainly see more of them from this sender.
3) The spam is an enticement to do something illegal or immoral. Examples are; enticement to cheat on your spouse, enticement to buy prescription drugs from foreign countries, enticement to get insider trading information.
4) The message in the spam contains many nonsense words (sometimes these are not easily visible), these are referred to as Bayesian poisoning, their purpose is to defeat anti-spam filters.
5) The Unsubscribe link in the spam is a graphic and not a text or it is missing entirely. If you drag your mouse across the unsubscribe message and the block of text moves as if it were a picture then its a graphic. If you can right click on it and save it as a gif, jpg, or png then its a graphic.
6) Clicking on the unsubscribe link does not show your email address. A legitimate spammer will already know your email address and will know that it’s legitimate because they will not have gotten a bounce from the mailserver when they sent the spam. They will show the address on the unsubscribe page.
7) The subject line of the spam is in a foreign language. A legitimate spammer will know your language, an advertising spam does no good for them if you can’t read it.
8) The content of the spam is “too good to be true” such as offers to buy something at an incredibly low price. (Even if it IS legitimate, when you purchase something from a business that engages in spamming, you are encouraging spamming to happen) This is less of an indicator that it is criminal spam.
9) The subject of the spam has nothing to do with the content of the spam. This is also less of an indicator that it is criminal spam.
10) The spam is under 50k in size (use the size reported on the subject line in your email program) This is also less of an indicator that it is criminal spam.
Indicators of legitimate spam. Note that the presence of 1 or a few of these indicators is no guarantee that it’s legitimate.
1) You have received emails from this same sender before. (check your junk mail)
2) The Subject line is long and descriptive and the sender appears to be consistent with the subject.
3) The Unsubscribe link is consistent with the sender – for example the sender might be From: “ChristianMingle.com Christian_Mingle@bakucarpe.com” and the Unsubscribe link might say
“To stop receiving future messages from us, please click http://ocbe98.bakucarpe.com/367802422a777xxxxxxxx… You may need to look at the message source (Off the email program menu, View, Message Source) to determine this.
4) The spam message is over 200k in size
5) The spam is marked as an advertisement in the body of the spam
6) The spam has a prominent unsubscribe link that is text. If you drag your mouse across the unsubscribe message and you can copy individual characters then it’s text.
7) Essentially the opposite of the characteristics that a criminal spam has
You can see that determining if a spam is criminal or legitimate can be difficult. In the event you are not sure about a particular piece of spam, it is best to assume it’s criminal and do not attempt to unsubscribe. If it is a legitimate piece of spam, they will likely send you spam again in the future and you can then attempt to unsubscribe.
The last thing I’ll discuss is addressing, as many users have asked why can’t we just delete anything that isn’t addressed to them.
All email has 2 senders addresses and 2 recipient addresses. They are called the Envelope and the Header addresses. Sometimes they are different. This is not cause for concern in many cases.
Sometimes a sender will wish for replies to go back to a different address. For example many discussion e-mail mailing lists operate this way. The Sender of a post to an email list may show as the From: address but the envelope address is from the mailing list itself.
Sometimes the recipient will be set to be a distribution list – such as “To: all users” but the envelope address will be to the particular user who gets the mail message.
Spammers frequently abuse these addresses, but any kind of filtering that is keyed off differences in those addresses will block non-spam email as well as spam.
Reducing Spam In Your Inbox